[Edit: like most Windows XP features, you shouldn't use this. See my second post below for why.] Just something to be aware of, if for some reason you get stuck with one of these OSes. Win2k and XP do have noninteractive outbound filtering capabilities. This filtering is stateless, i.e. it will not track who started a connection. But in this case we don't really care about that - the ports we want to goodlist are closed to inbound connections by default, and we don't care much about connection state when blocking outbound traffic. This can block some reverse TCP shell connections, e.g. from a Metasploit compromise here: The randomly named EXE tries to connect back to Metasploit on port 4444, but the filter will silently block it. The user account is compromised, but information from it is not going anywhere unless the attacker bypasses the IP filtering. Unfortunately there are no notification windows though, nor information in the system logs as far as I can tell... The obvious caveats are 1. If you run as admin, turning this stuff off is trivial to automate 2. Escalation to SYSTEM is likewise trivial on Windows XP, so running as a limited user is not much help 3. There's no reason an attacker couldn't have a reverse TCP shell server on port 80... I think it's a bit late to put this to practical use, but maybe it could be handy for people running 2000/XP virtual machines on bridged connections?